The Identity Project 

www. Paper sPlease. or g 

1222 Preservation ParkWay, Suite 200 

Oakland, CA 94612 
510-208-7744 (office) 
415-824-0214 (cell/mobile) 

February 4, 2019 

Eleanor D. Acheson, Executive Vice President, General Counsel, and Corporate Secretary 
Law Department 

National Railroad Passenger Corporation (Amtrak) 

One Massachusetts Avenue, NW 
Washington, DC 20001 

Re: FOIA request 15-FOI-00021 

FREEDOM OF INFORMATION ACT APPEAL 


This is an appeal under the Freedom of Information Act, 5 U.S.C. §552. 

On October 29, 2014,1 submitted a request by e-mail to 
< foiarequests@amtrak.com > for access to and copies of certain records pertaining to 
Amtrak policies and procedures related to the use and sharing with other government 
agencies of data pertaining to Amtrak passengers and customers. 

My request included the following seven categories of records: 

“(1) Any records of policies, procedures, technical specifications, contracts 
(including agency appointment agreements), or directives to staff, contractors, or agents 
pertaining to transfers of data about Amtrak passengers or customers to the Department 
of Homeland Security (DHS), any DHS component including US Customs and Border 
Protection (USCBP), the Canadian Border Services Agency (CBSA), any other Canadian 
government agency, or any other foreign government, or the subsequent handling or use 
of such data, including without limitation Advanced Passenger Information (API) and any 
personally identifiable data obtained or derived from the ARROW reservation system. 

(2) Any records pertaining to the legal basis for such data transfers, including any 
e-mail messages pertaining to this subject within or between Amtrak, Amtrak agents, 
Amtrak contractors, and any third party or parties. 
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“(3) Any records of policies, procedures, technical specifications, contracts 
(including agency appointment agreements), or directives to staff, contractors, or agents 
(including without limitation travel agencies and agents authorized to sell Amtrak tickets, 
and other ARROW users) regarding disclosures to be made concerning transfers of data 
about Amtrak passengers or customers to government agencies including DHS. 

“(4) Any records of policies, procedures, reports, or directives to staff, 
contractors, or agents (including without limitation travel agencies and agents authorized 
to sell Amtrak tickets, and other ARROW users) regarding compliance with the Personal 
Information Protection and Electronic Documents Act (PIPEDA) of Canada, including 
handling of requests for records or other requests or complaints made pursuant to 
PIPEDA and any disclosures to be made to passengers or customers. 

“(5) Any e-mail messages within or between Amtrak and Amtrak agents, Amtrak 
contractors, and any third party or parties containing any of the text strings ‘Personal 
Information Protection and Electronic Documents Act’, ‘PIPEDA’, or ‘Privacy 
Commissioner of Canada’.” 

“(6) Any electronic file in which any of the above records are included. 

“(7) All metadata pertaining to any such file, such as file system information 
indicating the creation data, modification date, etc.” 

With respect to the form of production of requested records, I requested as 
follows: 


“I request that all responsive records be provided in electronic form. 

“With respect to any records held in electronic form, I request that they be 
provided in the original electronic form in which they are held, as complete bitwise 
digital copies of the original e-mail archive files, word processing files, or other 
electronic files, including any file headers, embedded metadata, and all other file content. 
All such data is subject to FOIA and is expressly included within the scope of this request 
for records. 

“With respect to any e-mail messages included in the responsive records, I 
specifically request access to and copies of the complete informational content of the 
underlying electronic records, in their full and complete form including all headers and 
attachments, fully expanded e-mail addresses, full addresses for address ‘aliases’, full 
lists for ‘distribution list’ aliases, and all related metadata.” 

No records were released before the statutory deadline for Amtrak’s response. 
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Beginning March 11, 2015, and continuing through December 21, 2018,1 
received a series of PDF files, apparently created in response to my request. 

Those PDF file contained no searchable text, although they appear to have been 
created from records that were originally found or created as digital text files. The PDF 
files contained only rasterized images of “page views” or screenshots of portions of 
responsive records, as those records were viewed in some unspecified software 
application(s). 

None of these thousands of images were text-searchable, making it prohibitively 
burdensome to search, index, or organize the underlying responsive textual data. 

It is apparent that there is not a one-to-one correspondence between these newly 
created rasterized PDF images files and the responsive files. But it is impossible to 
determine from the PDF files which file(s) correspond(s) to which of the original files, or 
any of the metadata pertaining to the original responsive files. 

Some portions of files were withheld as “Non-Responsive”. See, for example, the 
images reproduced as Attachment A to this appeal. No exemption was claimed as the 
basis for any of these withholdings of portions of files. All portions of such files are 
responsive to item (6) of my request. All these withholdings are plain error and must be 
reversed and the responsive files produced in their entirety on remand. 

All file metadata in the responsive records was removed or replaced with new and 
unrelated metadata pertaining to the newly-created PDF files which were substituted for 
the responsive records. No exemption was claimed with respect to the withheld metadata. 

All metadata pertaining to otherwise responsive files was explicitly requested in 
item (7) of my request. Metadata retained in typical digital filesystems includes the 
filename including any extension; the filesize in bytes, KB, MB, or GB; the name of the 
workstations, server, other device, or virtual server, or the label on the archival or backup 
media, in which the file was found; the path to the file on that device or in that 
filesystem; the creation, modification, and/or any other date(s) for the file, as stored in the 
filesystem in which it is found; and the owner and all permissions (creation, access, and 
modification) for the file in the filesystem in which it is found. 

A search reasonably calculated to retrieve records responsive to item (7) of my 
request would include a search for each of these items of metadata with respect to each 
otherwise responsive file. All such metadata records are responsive to this request, and 
each such item of responsive metadata must be produced unless it is exempt. 

None of the requested and responsive e-mail message source files were produced. 
The images produced showed only selected headers, and only in modified form. E-mail 
addresses in the responsive records, for example, were replaced with e-mail “nicknames”. 


The Identity Project - FOIA appeal, 18-FOI-00164 - 2/4/2019 - page 3 of 13 



An address such as “Jane Doe < jane.doe@companv.com ” in an e-mail header, for 
example, was improperly replaced with only “Jane Doe”. In many cases, this substituted 
short-form name was then withheld pursuant to FOIA Exemption 6. 

But while “Jane Doe” might be exempt, “Company.com” is not personal 
information and could not be exempt pursuant to FOIA Exemption 6. 

The substitution of a “nickname” or “friendly view” for the full e-mail address in 
the header of a responsive record thus leads to the improper withholding of the name of 
the company (or, in the case of Amtrak or a government department, the agency) sending 
or receiving an e-mail message. This pattern is repeated throughout the PDF files. 

These withholdings of non-exempt portions of responsive e-mail message source 
files, including full headers were plain error. They must be reversed on appeal and all 
non-exempt portions of e-mail message source files, including all headers, must be 
produced in the requested native, text-searchable form on remand. 

Several of the images substituted for the responsive e-mail messages contain icons 
representing files which were included in the original e-mail messages as attachments. 
See, for example, the page images reproduced as Attachment B to this appeal. None of 
the collections of images you produced indicate the filenames of the responsive records 
from which they were created. But it appears that many of the files included in the 
responsive email records have not been included in any form in the responses. 

I presume that these attachments are actually included in the responsive 
digital records of email messages, as they are held on mail servers or on backup or 
archival digital media. And where an icon in a view or image of a responsive e-mail 
record indicates that the original message contained an attachment, a search reasonably 
calculated to retrieve responsive records would include a search for each file indicated as 
included as an attachment in the responsive email messages, including a search of the 
original digital records on servers or backup or archival media. The failure to conduct 
such a search was error, and should be reversed and a new search conducted on remand. 

Since the 1996 FOIA amendments, the FOIA statute has required that, “In making 
any record available to a person under this paragraph, an agency shall provide the record 
in any form or format requested by the person if the record is readily reproducible by the 
agency in that form or format.” (5 U.S.C. § 552(f)(2), effective March 31, 1997). 

It is obvious that digital files are readily reproducible by Amtrak (or anyone else) 
in the form of bitwise digital copies. But none of the responsive records were provided in 
that form, despite my explicit, unambiguous, written request for files in native format. 

The failure to search for or release metadata, the failure to release responsive 
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records in the requested form or any text-searchable form, and the withholding of 
responsive data (not based on any FOIA exemption) inherent in the substitution of new 
files in a different format for the responsive records, are all plain error requiring reversal 
on appeal, additional search and production of responsive records on remand, and 
production of all responsive records in the native, text-searchable file format requested. 

The PDF files I received were created from digital files responsive in part to items 
(1), (2), and (3) of my request. But obviously responsive records were not produced, 
strongly suggesting that an adequate search for such records was not conducted. 

In particular, our request included, “(1) Any records of policies... pertaining to 
transfers of data about Amtrak passengers or customers to the Department of Homeland 
Security (DHS)”, “(2) and “the legal basis for such data transfers”, and “(3) Any 
records ... of policies... regarding disclosures to be made concerning transfers of data 
about Amtrak passengers or customers to government agencies including DHS.” 

The most obvious such "policies., regarding disclosures to be made concerning 
transfers of data about Amtrak passengers or customers to ... DHS" are those included in, 
and related to, Amtrak's privacy policy, including the version available at 
< https://www.amtrak.eom/privacy-policv#section-4 >. which explicitly discusses such 
transfers of data pertaining to passengers to DHS and the legal basis for such transfers: 

“Amtrak may share your personal information if required by law, court order, 
subpoena, or other legal process when requested by the United States Department of 
Homeland Security (DHS) pursuant to 49 U.S.C. 114 (2012), the Intelligence Reform and 
Terrorism Prevention Act of 2004, 50 U.S.C. 401 (2004), and implementing regulations 
pursuant to 49 C.F.R. § 1580 (2008).” 

This policy, whose existence is apparent from the Amtrak.com website, and 
related records, are obviously responsive to my request, but no records of this policy or of 
any related records were released in response to this request. 

Any search reasonably calculated to retrieve records responsive to these portions 
of my request would have included a search for records of privacy policies and 
of records pertaining to those policies or the legal basis for them. The failure to conduct 
such a search and release responsive records, including privacy policies and related 
records, was error which should be reversed on appeal. An adequate search should be 
conducted and nonexempt responsive records should be released on remand. 

No records were released responsive to items (4), (5), (6), or (7) of my request. 

No exemption was claimed with respect to any of these records, and there is no indication 
that any search was conducted for such records. 

It appears likely that no such search, or an inadequate search, was conducted. 
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A search reasonably calculated to retrieve records responsive to item (5), for 
example, would include a full-text search (“grep”) of the files in Amtrak’s e-mail archives 
for each of the case-insensitive text strings, “Personal Information Protection and 
Electronic Documents Act”, “PIPEDA”, or “Privacy Commissioner of Canada” (without 
the quotation marks). There is no indication that such a search was conducted. 

I appeal: (A) the adequacy of the search; (B) the withholding of all requested 
metadata; (C) all withholdings as “Non-Responsive” of portions of files containing 
otherwise-responsive records; (D) all withholding of attachment files included in, or 
linked to, responsive e-mail messages; (E) the failure to produce responsive records in the 
requested form or any text-searchable form; and (F) the substitution for the responsive 
records of newly-created files in a less useful format, neither the original nor the 
requested format, and containing less information that either the original or the requested 
format, including the substitution of rasterized images for text files and the substitution of 
incomplete and altered views of e-mail data for the responsive e-mail message source 
files, which results in both a violation of my right to receive records in the requested 
format and the unauthorized withholding of the information contained in the original 
records, but not in the substituted aggregated PDF files of rasterized images. 

As the FOIA statute requires, I expect that you will act on this appeal and produce 
responsive documents within 20 working days. 


Sincerely, 


Edward Hasbrouck 

Consultant on travel-related civil liberties and human rights issues 

The Identity Project 


Attachment A: Examples of images containing portions of files withheld as “Non- 
Responsive” 

Attachment B: Examples of images containing icons representing withheld attachment 
files included in original e-mail messages 
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Attachment A 
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Border crossing.txt 

mtrak/gggg/h 

6 SSR OTHS 1A KKl ID NUM OR GENDER NO EXP DATE: FOR BC 
* A1C 2V 026013 243AN 19282 HLCT-313AN/USD 60.00 



Exemption 6 



Noil-Responsive 








Non-Responsive 



I'rn working on an updated version of the document that will be sent as soon as it is 
finished-. 



Exemption 6 


From: §§j 
Sent: T:;'v ; 

to: mmm 


fi 1:45 PM 














Attachment B 
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Exemption 6 



I feel my visit to the; border went very Well. I was able to see the operation in regards for each aspect of what comes 
across the border and understand how we can help them betterwith the deployment of eTicketing. 


We first met in the main building and went over what happened before and after the devices came into play.. 

Before the train arrives the custom department currently receives a faxed Arrow manifest (SOL*3 - attached) from the 
Albany station around 5:00a in the morning. Arrow also electronically sends a manifest to the border patrol through the 
APIS system. There are some problems with this as sometimes duplicate names appear on the manifest In the APIS 
system which can cause some confusion with the Border Patrol agents. 

They then compare the manifest received from Albany and the APIS information to narrow down the list of most likely 
on board and see if anything is flagged. They do understand this is a planned manifest. 

Around 11a they leave the main site to meet the train when it arrives. The station building itself is closed with asbestos 
warnings ail over it. The Border Patrol has a small separate secure office train side where they can do some research on 
passengers who Were not on the manifest as needed. This is separate from the station. They showed us the office but 
they don't go in there unless they need to. It.has a computer and small printer. The agent was able to pull up his email 
and saw the report but didn't look at it as he had to work the train. 

When they do their inspections the conductors only open the front door on the first coach. The agent's board there 
worked from to the back of the train. If they need to pull someone off they do so and the train continues without them: 

Now with eTicketing in place they are still perform the above, however when they get on board they borrow the,device 
from the conductor artd use the 2+2 screen select the on board button to access the passenger list. They also utilize the 
HNF information for those who did not have reservations and spend more time on those folks. 

i discussed the use of the business objects report: with them and they are very happy that they can see those actuals. 
However there is a gap between the information that's sent to APIS and what's on the Business Objects report (detailed 
below). Since we are currently emailing the.reports they indicated that the idea! time to receive this report is 10:30a and 
no later. As they leave the office at 11a to go to the train, it gives them time to go through it, i believe we have been 
sending that a little later than that. The train leaves St Lambert at 9:45a so, unless the train is late, the report should be 
as up to date by 10:30a than we're going to get 

I did explain the risk of giving them a device and explained that they can have access to the reports and they will be able 
to pull them at their digression . They are happy with that but at this point they cannot access the Citrix site due to their 
firewall restrictions. I will be sending the Citrix link so they can get firewall clearance and also requesting the names and 
information of those who need access. They have about 7-10 agents that may access the reports. 

I believe they knew 1 wasn't there to give them a device but didn't seem to care as (my gut feel is) regardless of the 
reports they will still borrow the conductors device and use that when they board the train as the conductor will do 
what the border agent asks and it's a lot easier than carrying a paper manifest. 


i 














To improve what we currently provide, I recommend that for border crossing reservations we also pull the PNR 
information that is used for customs so that can be shown on the ticket details on the device or at minimum, 
transmitted on the business objects report. This information is only required for border crossing reservations and must 
be entered into all border crossing reservations. 

Below I've provided more details on when we electronically send the Arrow manifest and also the comparison of the 
two reports. 

Let me know if you have any questions. 

(nformation to note: 

Arrow Manifest 

Currently the Arrow manifest is electronically transmitted at specific times prior to departing the last station prior to the 
border. This is the case on all borders. 

3bours before 
15 minutes before 
1 minute before 
O/S time 

Discrepancies between Arrow and Business Object Reports 

The passenger information is stored in the reservation in Arrow 


Field Name 

Arrow APIS 
Manifest 

Business 

Objects 

Passenger 

Total counts 


X 

Passengers Full 
Name 

X 

X 

Crew's Full 

X 


Name 



Name 

X {ex. Crew, 


Identifier 

primary. 

Infant) 


PNR 

X 

X 

RED 

X 



X 


Passport 

Country 

X 


Gender 

X 


ID Type 

X 


IIIPU 1 IJll 

X 


Origin 


X 

Destination 


X 

Lift Type 


X 


X -Data include 


I've also attached the A02 Documents and manifest reports as reference. 
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Amtrak .. 

-Saies and Reservation Systems 
60 Massachusetts Ave. 'NE..4W-111 
Wash i 

Belli I 


Phone:! 


Exemption 6 
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